The importance of the ASD ecosystem for Europe’s cybersecurity and cyber defence capacity

The importance of cybersecurity

We are in Europe’s digital decade. Digital technology is changing our lives and businesses. In this transformation, cybersecurity is increasingly important for the stability, resilience and development of our societies, institutions and economies. A secure cyberspace is indispensable for the control, management, maintenance and protection of all critical infrastructures (e.g. energy, communications, transportation, public health, government), assets and data. In defence, the availability of and access to superior digital information is a key enabler of effective action in all physical domains.

The digitalisation of critical infrastructures and defence systems means that both the attack surface and the potential impact of threats have expanded exponentially. At the same time, the number and severity of threats also continues to increase, particularly as state and state-backed actors develop ever more sophisticated capabilities.  In Ukraine, Russia has massively used the cyberspace for attacks against civilian and military targets; in the EU, governments and industries continuously face cyber threats, such as espionage and sabotage. Cyberspace is thus both an enabler and a new frontier in strategic competition and military confrontation.

The need for European technologies

Today, most of the cybersecurity solutions used in Europe originate abroad, in particular the US and Israel. One reason for this is the lack of European champions for mainstream and large-volume digital solutions, where US and Chinese providers dominate the market, even in strategic areas. On top of this come structural deficiencies in Europe’s cybersecurity market, mainly market fragmentation, insufficient public and private investment, and the absence of strategic public procurement policies. This dependence on non-European suppliers reduces Europe’s competitiveness, limits its freedom of action, and creates political, economic, military, and technological vulnerabilities. Therefore, it is not enough to promote a Digital Europe – we also need to secure and defend the strategic parts of Europe’s cyberspace with European solutions.

Replacing the totality of cyber technologies with solutions made in Europe is unrealistic. Europe cannot completely forgo imports of technologies from abroad if it is to succeed in the digital transition. At the same time, there is also a growing awareness of the new geopolitical realities and the need to reduce critical dependencies in strategic areas. We are convinced that cyber is one of these areas. Europe should therefore be able at least to guarantee an appropriate degree of technological sovereignty in cyber awareness, verification, continuity, and emergency management. The expertise needed for and generated by developing state-of-the-art tools for cybersecurity and cyber resilience can also be leveraged to provide armed forces with defence-specific cyber capabilities that are made in Europe, thus enhancing Europe’s freedom of action and deterrence capability.

European cybersecurity, cyber resilience and cyber defence are intrinsically linked with European industrial capacities. Only European companies with the necessary technological know-how and expertise can develop and produce trusted, tailor-made solutions that are sufficiently advanced to protect critical infrastructures and ensure our armed forces’ operational superiority in the cyber domain.

European sovereignty in key cybersecurity capabilities can only be ensured collectively with a fully-fledged research, design, development, production and support capacity across a range of essential technologies, including defence-specific ones. Market regulation is welcome, but not enough. What is needed is a comprehensive cyber industrial policy that sets a coherent framework for all relevant instruments and is underpinned by an ambitious commitment by the EU to support the development and market uptake of the required cyber security and defence technologies.

The creation of a single Cybersecurity market, a matrix of industrial capabilities to develop this type of technologies, the prioritisation of needs by the end users and the way to ensure the financing of the associated developments would be a key factor to articulate the roadmap to achieve such sovereignty.

The role of the European security and defence industries

The European aerospace, security and defence ecosystem, represented in ASD, is ready to play a leading role for Europe’s technological sovereignty in cybersecurity and cyber defence. High-level cybersecurity and cyber resilience is a core requirement of all security and defence products and an integral aspect of the respective supply chains. Moreover, many European aerospace, defence and security companies are themselves globally competitive providers of complex and sensitive cybersecurity solutions for the most demanding customers, such as national armed forces, intelligence agencies, public institutions and critical infrastructures. As a result, this ecosystem is uniquely positioned to develop trusted, state-of-the-art cybersecurity and cyber defence technologies that are needed for the protection of Europe’s most strategic sectors.

Our ecosystem is also unique in its capacity to manage the duality of cyber, leveraging the technological synergies between military and non-military cyber tools and able to understand and speak the language of both military and civilian users. This is important since cyber defence and cybersecurity have numerous commonalities in terms of core technologies, technical components and skills, but also specific missions (from cyber protection to deterrence to active defence) and different operational standards. Our ecosystem is equally conversant, for instance, with the NATO DOTMLPF-I framework that underpins military operations and the NIST Cybersecurity Framework for cyber protection in civilian organisations.

At the same time, our ecosystem cannot operate in isolation. In order to ensure an appropriate level of control over relevant technologies, we must work on standards (e.g. via ENISA) to ensure equal access to normalised interfaces and functions. We must also cooperate with companies that develop large-volume digital solutions and core cyber equipment, to be able to guarantee these products’ integrity and security. This cooperation requires building trustful relations with like-minded partners and must be supported by the Union and its Member States. An effective cyber industrial policy must therefore also include conditions and guarantees for these companies to share selected critical product information and open selected critical interfaces.

Cybersecurity is crucial for addressing the challenges of Europe’s digital transformation. The European Aerospace, Security and Defence ecosystem is uniquely positioned to provide the cyber solutions needed to protect Europe in an age of intensifying geopolitical competition. The EU and Member States must support this objective through a robust and effective cyber industrial policy.